I am trying to learn the details of using a PIV / smartcard to sign an executable like a jar. Employing this is easy, but I'm curious about what information gets exchanged between my computer and the smartcard. I have searched around but I haven't found what I was hoping to find - some kind of flow or sequence diagram. The thing I'm most curious about is how much data gets sent to the device. It seems too fast to be sending the entire jar. Does it work something like how debian repository signatures work, where the computer generates a file of HMACs and only THAT is signed?
According to the JAR file format specification, a message digest of the JAR file is signed, not the whole content of the JAR. Therefore, only the digest is sent to the card. For instance, with a digest like SHA-256, only 32 bytes must be sent to the smartcard.